In May 2017 a ransomware attack later named “WannaCry” hit more than 200,000 computers across the globe. In the weeks after, business leaders hurried to evaluate their own cybersecurity strategies for inclusion of protective measures against ransomware attacks. After all, the WannaCry attack seized critical data that rendered nearly 20 percent of hospitals in the United Kingdom unable to care for their patients.
The nature of the WannaCry attack is unique, but ransomware itself is not. Ransomware’s ability to affect operations can wreak havoc on a company’s infrastructure, reputation and finances. Having proactive safeguards in place could have protected companies and their leadership from falling victim to the effects of WannaCry in the first place.
What is Ransomware?
Ransomware is a sophisticated piece of malware, or malicious software that is intended to damage or disable a computer system. It takes the malware a step further, blocking the victim’s access to their system or files until they pay a ransom to regain access. Usually these ransom payments have a time limit before the ransom will increase or the data will be destroyed. Because ransomware features unbreakable encryption, individual users typically can’t decrypt the files on their own.
The information technology community recognizes ransomware attacks as early as 1989 when the “AIDS Information Introductory Diskette” was distributed to a select group of people by Dr. Joseph Popp. The floppy disk counted each time the computer was booted until the count reached 90 and then encrypted files to render the system unusable until a renewal license was purchased from PC Cyborg Corporation. Historically, ransomware attacks like the AIDS Info Disk required some element of human interaction to set the malware in motion. This could occur from downloading software from a floppy disk or, in more recent years, clicking a corrupt link in your email or downloading a corrupt file from the internet.
What makes WannaCry so interesting is that it didn’t rely on users making a mistake in order to become successful. The attack was a worm that spread itself to random IP addresses, exploiting a Windows vulnerability for which Microsoft released a patch in March. Worms were very successful in the early days of the internet, and WannaCry demonstrates that hackers are constantly reinventing their methods to stay one step ahead—even if it means returning to formerly successful strategies that users no longer think to protect themselves against. If hackers are evolving, shouldn’t companies evolve how they consider cybersecurity?
Proactive Protection is Key
Many companies evaluate their cybersecurity policies semi-regularly, but it is often in response to the release of a major threat like WannaCry. Taking steps to update cybersecurity policies to address a specific attack can help your company protect itself from a future attack of a similar nature. However, looking backward at history to develop your strategy doesn’t necessarily account for future attacks with unique, never-before-seen execution methods. Taking the following four steps will help you create and implement a clear, holistic cybersecurity strategy that should be able to work in multiple situations.
Step 1: Create Cybersecurity Procedures and Controls
Cybersecurity is focused on protecting the digital access points of data, such as computers, smart phones, networks and servers. At a minimum, business leaders need to understand what assets are most valuable to their company, where they are supposed to reside, where they actually reside, who touches them and how access to them is managed. Putting together formal internal policies, procedures and controls can help your company protect its valuable assets, saving money, data and reputation in the long run.
Each company has a unique infrastructure, so cybersecurity procedures will range in size and complexity. Ideally, companies should tailor their documented policies, procedures and controls to their business and review and test them regularly. Typical internal policy documents address industry compliance requirements (if applicable), infrastructure (systems to guard data), procedures and responsibilities for implementation, maintenance, and incident response. Internal policies, procedures and controls should address vulnerabilities on different types of attack vectors because the strategies of hackers keep changing. If protection against malware is a concern, policies, procedures and controls for backing up data and updating security patches on devices should be included.
Step 2: Train Your Users
Once cybersecurity internal policies and procedures are documented, it is important for business leaders to share those with their company’s users. Studies have shown that up to 30 percent of data breaches are related to negligent employees or contractors accidentally releasing private data. And while WannaCry didn’t rely on the human factor, many malware attacks use phishing to exploit users.
At a minimum, users need to understand what their company’s cybersecurity policies and procedures contain. What best practices should they be incorporating into their day-to-day work habits? Who are the key personnel tasked with cybersecurity? Even with effective training in place, companies should anticipate that an incident might still occur—by user mistake or otherwise. Training users on what they need to do when an incident occurs is another critical component to maintaining security. What should they do if they receive a malicious email? Who should they contact if their physical device is compromised?
Training should also occur at the senior management and board level. Board members, officers and directors should periodically review internal cybersecurity policies and procedures and document training on the latest industry threats, best practices and cyber insurance. Not only will the training help executives manage their oversight of cyber risk, but it also provides a layer of protection against personal liability. After a cyber incident occurs, executives could become vulnerable to litigation over allegations that management had a lack of oversight. Documentation can help provide a stronger defense.
Step 3: Cover Yourself with Cyber Liability Insurance
Even with well-documented and tested procedures and a team of highly trained users, your company may fall victim to cybercrime. You can limit your financial, legal and reputational damage by obtaining the coverage of a cyber liability insurance policy. The insurance addresses two critical risks: first, the liability risk to your business if sensitive client or employee information is compromised and second, the substantial cost of notifying clients that their information has been compromised, credit monitoring, fines, legal fees and forensics. The average cost per stolen record can run anywhere from $158 to $355 depending on the industry class.
Cyber liability insurance policies include a variety of coverage options and can vary from policy to policy. If you already have a cyber insurance policy in place, evaluate the coverage areas that are included and any limitations. Your existing policy may not include provisions that cover your company against ransomware attacks or require data or portable media devices be encrypted. Once you have an insurance policy in place and are comfortable with its coverage, update your documented cybersecurity procedures to account for any insurance policy requirements in the event of an incident. If, for example, certain vendors need to be used or certain parties need to be notified, this should be documented in your overall cybersecurity strategy.
Step 4: Prepare to Respond When an Incident Occurs
While a cyber liability insurance policy is a critical component of responding to an incident, it cannot fully return your company to normal operations. Creating and implementing an incident response and recovery plan guides your employees and stakeholders on what to do if the worst case scenario occurs. All incident response plans should include the key team members tasked with remediation, communication procedures, critical systems and any potential workarounds that can keep operations functioning, and an estimated recovery timeline to contain a breach. Documenting a decision-making process as part of the incident response plan will increase the likelihood that your company can act quickly and meet recovery deadlines.
State and federal breach notification laws should be considered when drafting your incident response plan. Compliance will be important, and you will need to plan for the timing and cost associated with it. Revisiting your company’s cyber liability insurance policy during the drafting process is critical as well. Your policy might require certain notification procedures be implemented, and it will be important to include those contacts in your overall incident response plan. Understanding and completing what your policy requires you to do will increase the probability that the policy will cover you.
Holistic Strategies Withstand the Test of Time
Your primary objective when designing your cybersecurity strategy is to identify the critical areas that require protection and put the steps in place to protect them regardless of the attack vector. Since threats to your organization will constantly evolve, having dynamic cybersecurity policies and an incident response plan in place helps your company prepare to minimize the impact of disruptive situations. Including every possible scenario will most likely result in a complex document that isn’t practical when employees need to act quickly. Focusing too narrowly on specific incidents could hinder your company’s ability to respond. The key is to not overcomplicate the context. Account for critical systems, places, people and procedures, and your strategy should apply to multiple situations. To add additional safeguards consider obtaining a cyber liability insurance policy. Review everything annually to account for any changes to your business or the risk landscape.
Related Reading and Additional Information
For more information about the information presented in this article, contact Holly Henderson, CBIZ Risk & Advisory Services, (216) 525-1924. Additional information can also be found online: Risk Advisory Services and Cyber Liability Insurance.